fix: gate OSS email/password auth endpoints outside local auth mode (#500)

* fix: gate OSS email/password auth endpoints outside local auth mode

The /auth signup/login/me routes were mounted unconditionally, so the
SaaS deployment accepted unauthenticated signups that created oss_*
provider-id users (and auto-provisioned MPS service keys) bypassing
Stack Auth entirely.

Gate them with a router-level dependency that 404s when AUTH_PROVIDER
is not "local", rather than conditionally mounting the router, so the
OpenAPI spec and the clients generated from it stay identical across
deployment modes.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix: keep current user route available in stack auth

---------

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Abhishek 2026-07-06 22:18:04 +05:30 committed by GitHub
parent 45afc47473
commit 4fb3193eb5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 91 additions and 3 deletions

View file

@ -20,6 +20,19 @@ from api.services.posthog_client import (
)
from api.utils.auth import decode_jwt_token
async def require_local_auth() -> None:
"""Reject email/password auth requests outside OSS (local) deployments.
The auth router stays mounted in every mode so the OpenAPI spec and the
clients generated from it don't vary with AUTH_PROVIDER; the gate has to
happen at request time. Without it, the SaaS deployment accepts
unauthenticated signups that mint oss_* users bypassing Stack Auth.
"""
if AUTH_PROVIDER != "local":
raise HTTPException(status_code=404, detail="Not found")
POSTHOG_ORGANIZATION_GROUP_TYPE = "organization"
POSTHOG_ORGANIZATION_USES_MPS_BILLING_V2_PROPERTY = "uses_mps_billing_v2"